1#!/usr/bin/env python3.4
2#
3#   Copyright 2020 - The Android Open Source Project
4#
5#   Licensed under the Apache License, Version 2.0 (the "License");
6#   you may not use this file except in compliance with the License.
7#   You may obtain a copy of the License at
8#
9#       http://www.apache.org/licenses/LICENSE-2.0
10#
11#   Unless required by applicable law or agreed to in writing, software
12#   distributed under the License is distributed on an "AS IS" BASIS,
13#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14#   See the License for the specific language governing permissions and
15#   limitations under the License.
16
17from acts import asserts
18from acts.test_decorators import test_tracker_info
19import acts_contrib.test_utils.wifi.wifi_test_utils as wutils
20from acts_contrib.test_utils.wifi.WifiBaseTest import WifiBaseTest
21
22WifiEnums = wutils.WifiEnums
23
24EAP = WifiEnums.Eap
25Ent = WifiEnums.Enterprise
26WPA3_SECURITY = "SUITE_B_192"
27
28
29class WifiWpa3EnterpriseTest(WifiBaseTest):
30  """Tests for WPA3 Enterprise."""
31
32  def setup_class(self):
33    super().setup_class()
34
35    self.dut = self.android_devices[0]
36    wutils.wifi_test_device_init(self.dut)
37    req_params = [
38        "ec2_ca_cert", "ec2_client_cert", "ec2_client_key", "rsa3072_ca_cert",
39        "rsa3072_client_cert", "rsa3072_client_key", "wpa3_ec2_network",
40        "wpa3_rsa3072_network", "rsa2048_client_cert", "rsa2048_client_key",
41        "rsa3072_client_cert_expired", "rsa3072_client_cert_corrupted",
42        "rsa3072_client_cert_unsigned", "rsa3072_client_key_unsigned",
43    ]
44    self.unpack_userparams(req_param_names=req_params,)
45
46  def setup_test(self):
47    super().setup_test()
48    for ad in self.android_devices:
49      ad.droid.wakeLockAcquireBright()
50      ad.droid.wakeUpNow()
51    wutils.wifi_toggle_state(self.dut, True)
52
53  def teardown_test(self):
54    super().teardown_test()
55    for ad in self.android_devices:
56      ad.droid.wakeLockRelease()
57      ad.droid.goToSleepNow()
58    wutils.reset_wifi(self.dut)
59
60  ### Tests ###
61
62  @test_tracker_info(uuid="404c6165-6e23-4ec1-bc2c-9dfdd5c7dc87")
63  def test_connect_to_wpa3_enterprise_ec2(self):
64    asserts.skip_if(
65        self.dut.build_info["build_id"].startswith("R"),
66        "No SL4A support for EC certs in R builds. Skipping this testcase")
67    config = {
68        Ent.EAP: int(EAP.TLS),
69        Ent.CA_CERT: self.ec2_ca_cert,
70        WifiEnums.SSID_KEY: self.wpa3_ec2_network[WifiEnums.SSID_KEY],
71        Ent.CLIENT_CERT: self.ec2_client_cert,
72        Ent.PRIVATE_KEY_ID: self.ec2_client_key,
73        WifiEnums.SECURITY: WPA3_SECURITY,
74        "identity": self.wpa3_ec2_network["identity"],
75        "domain_suffix_match": self.wpa3_ec2_network["domain"],
76        "cert_algo": self.wpa3_ec2_network["cert_algo"]
77    }
78    wutils.connect_to_wifi_network(self.dut, config)
79
80  @test_tracker_info(uuid="b6d22585-f7c1-418d-bd4b-b627af8c228c")
81  def test_connect_to_wpa3_enterprise_rsa3072(self):
82    config = {
83        Ent.EAP: int(EAP.TLS),
84        Ent.CA_CERT: self.rsa3072_ca_cert,
85        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
86        Ent.CLIENT_CERT: self.rsa3072_client_cert,
87        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key,
88        WifiEnums.SECURITY: WPA3_SECURITY,
89        "identity": self.wpa3_rsa3072_network["identity"],
90        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
91    }
92    # Synology AP is slow in sending out IP address after the connection.
93    # Increasing the wait time to receive IP address to 60s from 15s.
94    wutils.connect_to_wifi_network(self.dut, config, check_connectivity=False)
95    wutils.validate_connection(self.dut, wait_time=60)
96
97  @test_tracker_info(uuid="4779c662-1925-4c26-a4d6-3d729393796e")
98  def test_connect_to_wpa3_enterprise_insecure_rsa_cert(self):
99    config = {
100        Ent.EAP: int(EAP.TLS),
101        Ent.CA_CERT: self.rsa3072_ca_cert,
102        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
103        Ent.CLIENT_CERT: self.rsa2048_client_cert,
104        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
105        WifiEnums.SECURITY: WPA3_SECURITY,
106        "identity": self.wpa3_rsa3072_network["identity"],
107        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
108    }
109    logcat_msg = "E WifiKeyStore: Invalid certificate type for Suite-B"
110    try:
111      wutils.connect_to_wifi_network(self.dut, config)
112      asserts.fail("WPA3 Ent worked with insecure RSA key. Expected to fail.")
113    except:
114      logcat_search = self.dut.search_logcat(logcat_msg)
115      self.log.info("Logcat search results: %s" % logcat_search)
116      asserts.assert_true(logcat_search, "No valid error msg in logcat")
117
118  @test_tracker_info(uuid="897957f3-de25-4f9e-b6fc-9d7798ea1e6f")
119  def test_connect_to_wpa3_enterprise_expired_rsa_cert(self):
120    config = {
121        Ent.EAP: int(EAP.TLS),
122        Ent.CA_CERT: self.rsa3072_ca_cert,
123        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
124        Ent.CLIENT_CERT: self.rsa3072_client_cert_expired,
125        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
126        WifiEnums.SECURITY: WPA3_SECURITY,
127        "identity": self.wpa3_rsa3072_network["identity"],
128        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
129    }
130    logcat_msg = "E WifiKeyStore: Invalid certificate type for Suite-B"
131    try:
132      wutils.connect_to_wifi_network(self.dut, config)
133      asserts.fail("WPA3 Ent worked with expired cert. Expected to fail.")
134    except:
135      logcat_search = self.dut.search_logcat(logcat_msg)
136      self.log.info("Logcat search results: %s" % logcat_search)
137      asserts.assert_true(logcat_search, "No valid error msg in logcat")
138
139  @test_tracker_info(uuid="f7ab30e2-f2b5-488a-8667-e45920fc24d1")
140  def test_connect_to_wpa3_enterprise_corrupted_rsa_cert(self):
141    config = {
142        Ent.EAP: int(EAP.TLS),
143        Ent.CA_CERT: self.rsa3072_ca_cert,
144        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
145        Ent.CLIENT_CERT: self.rsa3072_client_cert_corrupted,
146        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
147        WifiEnums.SECURITY: WPA3_SECURITY,
148        "identity": self.wpa3_rsa3072_network["identity"],
149        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
150    }
151    try:
152      wutils.connect_to_wifi_network(self.dut, config)
153      asserts.fail("WPA3 Ent worked with corrupted cert. Expected to fail.")
154    except:
155      asserts.explicit_pass("Connection failed as expected.")
156
157  @test_tracker_info(uuid="f934f388-dc0b-4c78-a493-026b798c15ca")
158  def test_connect_to_wpa3_enterprise_unsigned_rsa_cert(self):
159    config = {
160        Ent.EAP: int(EAP.TLS),
161        Ent.CA_CERT: self.rsa3072_ca_cert,
162        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
163        Ent.CLIENT_CERT: self.rsa3072_client_cert_unsigned,
164        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key_unsigned,
165        WifiEnums.SECURITY: WPA3_SECURITY,
166        "identity": self.wpa3_rsa3072_network["identity"],
167        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
168    }
169    try:
170      wutils.connect_to_wifi_network(self.dut, config)
171      asserts.fail("WPA3 Ent worked with unsigned cert. Expected to fail.")
172    except:
173      asserts.explicit_pass("Connection failed as expected.")
174
175  @test_tracker_info(uuid="7082dc90-5eb8-4055-8b48-b555a98a837a")
176  def test_connect_to_wpa3_enterprise_wrong_domain_rsa_cert(self):
177    config = {
178        Ent.EAP: int(EAP.TLS),
179        Ent.CA_CERT: self.rsa3072_ca_cert,
180        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
181        Ent.CLIENT_CERT: self.rsa3072_client_cert,
182        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key,
183        WifiEnums.SECURITY: WPA3_SECURITY,
184        "identity": self.wpa3_rsa3072_network["identity"],
185        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]+"_wrong"
186    }
187    try:
188      wutils.connect_to_wifi_network(self.dut, config)
189      asserts.fail("WPA3 Ent worked with unsigned cert. Expected to fail.")
190    except:
191      asserts.explicit_pass("Connection failed as expected.")
192
193  @test_tracker_info(uuid="9ad5fd82-f115-42c3-b8e8-520144485ea1")
194  def test_network_selection_status_for_wpa3_ent_wrong_domain_rsa_cert(self):
195    config = {
196        Ent.EAP: int(EAP.TLS),
197        Ent.CA_CERT: self.rsa3072_ca_cert,
198        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
199        Ent.CLIENT_CERT: self.rsa3072_client_cert,
200        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
201        WifiEnums.SECURITY: WPA3_SECURITY,
202        "identity": self.wpa3_rsa3072_network["identity"],
203        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]+"_wrong"
204    }
205    try:
206      wutils.connect_to_wifi_network(self.dut, config)
207      asserts.fail("WPA3 Ent worked with corrupted cert. Expected to fail.")
208    except:
209      asserts.assert_true(
210          self.dut.droid.wifiIsNetworkTemporaryDisabledForNetwork(config),
211          "WiFi network is not temporary disabled.")
212      asserts.explicit_pass(
213          "Connection failed with correct network selection status.")
214